ca-certificates: match /usr/share/ca-certificates to /etc/ssl/certs

It is a common pattern to bind mount /etc/ssl/certs from the host system into a container. This doesn't work on CoreOS because /etc/ssl/certs is just a pile of symlinks to /usr. If the applications in the container use Go then binding /usr/share/ca-certificates to /etc/ssl/certs does happen to work because Go only needs ca-certificates.crt which is in that top level directory. This however does not work for OpenSSL applications because it needs a whole directory of hashed certificates. To fix this change two things: - Remove the `mozilla` directory left over from when certs came from multiple sources. Install certs in ca-certificates directory instead. - Include the OpenSSL hash symlinks in ca-certificates.
2025-08-21 22:41:09 +02:00 · 2015-06-12 18:59:10 -07:00 · 2015-06-12 18:59:10 -07:00 · 6751326e80
commit 6751326e80
parent 68dbba9661
1 changed files with 43 additions and 17 deletions
--- a/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/ca-certificates-3.16-r3.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/ca-certificates-3.16-r3.ebuild
@ -26,40 +26,62 @@ RDEPEND="dev-libs/openssl
 DEPEND="${RDEPEND}
 	${PYTHON_DEPS}"
-sym_to_usr() {
+pkg_setup() {
-	local l="/etc/ssl/certs/${1##*/}"
+	python-any-r1_pkg_setup
-	local p="../../../usr/share/${PN}/${1}"
+
-	echo "L	${l}	-	-	-	-	${p}"
+	# Deal with the case where older ca-certificates installed a
 	# dir here, but newer one installs symlinks.  Portage will
 	# barf when you try to transition file types.
 	# This trick is stolen from sys-libs/timezone-data
 	if cd "${EROOT}"/usr/share/${PN} 2>/dev/null ; then
 		# In case of a failed upgrade, clean up the symlinks #506570
 		if [ -L .gentoo-upgrade ] ; then
 			rm -rf mozilla .gentoo-upgrade
 		fi
 		if [ -d mozilla ] ; then
 			rm -rf .gentoo-upgrade #487192
 			mv mozilla .gentoo-upgrade || die
 			ln -s .gentoo-upgrade mozilla || die
 		fi
 	fi
 }
 gen_hash_links() {
 	local certfile certhash
 	for certfile in "$@"; do
 		certhash=$(openssl x509 -hash -noout -in "${certfile}") || die
 		# This assumes the hashes have no collisions
 		ln -s "${certfile}" "${certhash}.0" || die
 	done
 }
 gen_tmpfiles() {
 	local certfile
 	echo "d	/etc/ssl		-	-	-	-	-"
 	echo "d	/etc/ssl/certs	-	-	-	-	-"
 	sym_to_usr ca-certificates.crt
 	for certfile in "$@"; do
-		sym_to_usr "${certfile}"
+		local l="/etc/ssl/certs/${certfile}"
-	done
+		local p="../../../usr/share/${PN}/${certfile}"
 	for certfile in "$@"; do
 		local certhash=$(openssl x509 -hash -noout -in "${certfile}")
 		# This assumes the hashes have no collisions
 		local l="/etc/ssl/certs/${certhash}.0"
 		local p="${certfile##*/}"
 		echo "L	${l}	-	-	-	-	${p}"
 	done
 }
 src_compile() {
 	local certdata="${MY_P}/nss/lib/ckfw/builtins/certdata.txt"
-	${PYTHON} "${FILESDIR}/certdata2pem.py" "${certdata}" mozilla || die
+	${PYTHON} "${FILESDIR}/certdata2pem.py" "${certdata}" certs || die
-	cat mozilla/*.pem > ca-certificates.crt || die
+
-	gen_tmpfiles mozilla/*.pem > ${PN}.conf || die
+	cd certs || die
 	gen_hash_links *.pem
 	cat *.pem > ca-certificates.crt || die
 	gen_tmpfiles * > "${S}/${PN}.conf" || die
 }
 src_install() {
 	insinto /usr/share/${PN}
-	doins ca-certificates.crt
+	doins certs/*
-	doins -r mozilla
+
 	# for compatibility with older directory structure
 	dosym . /usr/share/${PN}/mozilla
 	dosbin "${FILESDIR}/update-ca-certificates"
 	systemd_dounit "${FILESDIR}/clean-ca-certificates.service"
@ -72,3 +94,7 @@ src_install() {
 	dodir /etc/ssl/certs
 	systemd-tmpfiles --root="${D}" --create
 }
 pkg_postinst() {
 	rm -rf "${EROOT}"/usr/share/${PN}/.gentoo-upgrade
 }